Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
  • G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
  • G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
  • G06F16/10—File systems; File servers
  • G06F16/11—File system administration, e.g. details of archiving or snapshots
  • G06F16/122—File system administration, e.g. details of archiving or snapshots using management policies
  • G06F16/125—File system administration, e.g. details of archiving or snapshots using management policies characterised by the use of retention policies
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
  • G06F21/577—Assessing vulnerabilities and evaluating computer system security
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
  • G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
  • G06F21/6272—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database by registering files or documents with a third party
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/55—Detecting local intrusion or implementing counter-measures
  • G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Definitions

• This invention addresses issues of data privacy and forensic analysis of data files using content-based zero-watermarking techniques to determine the date a file was created.
• TTPs Trusted Third Parties
• the TTPs are obligated to follow contractual requirements or data-handling regulations, such as Regulation B in financial services or privacy laws set by local, state or federal government.
• This data is usually transmitted to the TTPs as a series of database tables (.sql), text files (.csv, .txt. or other format), or as a real-time data feed (e.g. , XML or JSON).
• the Data Provider's data may leak (the leaked file is defined as a "Leaked Subset") into the hands of others ("Bad Actors") who either knowingly or unknowingly use the data illegally. This can happen because a TTP knowingly releases the data, an employee of the TTP knowingly or accidentally releases the data, or an employee of the actual Data Provider knowingly or unknowingly leaks the data.
• the Data Provider's data leaks can be manipulated by Bad Actors in numerous ways: elements can be altered, it can be merged with data from other Data Providers, or it can be broken into subsets or
• Outbound processing refers to the association of unique data with each outbound data subset from a Data Provider (also known as a "watermark” or a "fingerprint” depending on the technique used) so that the data contained in any Leaked Subset, even if altered in some way, can still be identified as coming from the data provider and that specific file.
• a Data Provider also known as a "watermark” or a "fingerprint” depending on the technique used
• Inbound processing allows the Data Provider to then track the flow of data back to a specific TTP so that a probability that it is the likely source of the Leaked Subset can be assigned and its guilt determined in a way that can be enforced in a court of law.
• This requires the ability to take a data file acquired from a third party (a "Wild File") that realistically could contain a Data
• each TTP may receive hundreds of files a month over the course of many years, and there may be thousands of TTPs. Making a match to a single file in a universe of millions files through a brute force approach where a comparison is made to every file would be computationally expensive, if not impossible, with today's technology.
• Change fingerprinting may be defined as a process that can be applied to any text file, database table, or data feed generated by a specific software program that allows it, or associated programs, to determine a posteriori the timeframe (e.g. , the month and year) in which the file was generated, even when its original creation date is unknown.
• a posteriori the timeframe e.g. , the month and year
• the problem space described above is reduced to a reasonable number of files to make Guilt Assignment possible in a reasonable period of time.
• the problem space for matching is reduced from a file universe of two million files to 16,666 files needed for comparison. This reduces the problem space to something manageable where hardware or other forms of system scaling can be used to match the Wild File to a specific Leaked Subset.
• any file or stream of text is generated by a software system
• the date and time of its creation is generally recorded. This information may be found, for example, in the details available through Windows file explorer or by the Is command in Linux.
• meta-data e.g. variable names, value labels
• the text file, data table, or data feed consists of rows of records, or a string of records in the case of an XML or JSON feed.
• Each row contains data on a single object - for example, personal information on a single consumer (e.g., unique user id, name, address, demographic information, etc.) or production information on items (e.g., manufacturer, make, model features).
• at least one column contains a "valid" age for each object at the time the file was created.
• a valid age is one that can be verified against a Date of birth or Production Date, although the invention also covers the case where a date of birth or production date "anchor" may not be available.
• one or more secondary columns containing data that changes in some predictable way over time can be used as an alternate "anchor" to triangulate a valid age for a specific Wild File.
• an individual item in the Wild File can be identifiable via a name, address, etc., or other id, as long as the record contains a persistent and unique identifier (e.g., Acxiom Corporation's ConsumerLink variable) that does not change over time.
• the Data Provider can resort to legal means to stop the leak and recover lost revenue.
• the Data Provider often has a contractual right to audit a TTP suspected of misusing data.
• many TTPs may have been receiving hundreds of data files a month for a long period, such as a decade or more, so the problem becomes difficult due to scale.
• Lacking any mechanic for bounding the search the Data Provider would be required to go through emails, documents, spreadsheets and other physical documentation for the entire period during which data files were sent to try to discover where, when, and how the leak occurred. The cost of such discovery would be substantial and prohibitive in terms of time required for litigation and effort/money spent on the discovery process.
• This invention specifically applies to the inbound processing portion of the machine, as well as to certain elements of legal discovery.
• Fig. 1 illustrates the overall conceptual framework and design for a change fingerprinting system according to an implementation of the invention.
• Fig. 2 illustrates the system reduction mechanics for a watermarking system according to an implementation of the invention.
• Fig. 3 illustrates two example files for comparison, a W, wild file and a current data file, according to an implementation of the invention.
• Fig. 4 illustrates a merge of the W, wild file with the current data file according to an implementation of the invention.
• Fig. 5 illustrates the determination of file year using the change fingerprinting system according to an implementation of the invention.
• Fig. 6 illustrates the determination of file month and year using the change fingerprinting system according to an implementation of the invention.
• Fig. 7 illustrates a comparison of a W, wild file with two files of known date according to an implementation of the invention.
• Fig. 8 is a table containing merged example data from two current Data Provider files of known date and a W, wild file of unknown date according to an implementation of the invention.
• Figure 1 shows the overall system flow, including the Data Owner environment 9 and the data fingerprinting system 1 .
• the Data Owner environment 9 denotes clients, including Data Owner internal clients who use the data fingerprinting system. It is included in this document to provide context for the present discussion and to illustrate the end-to-end data flow. The main system components are numbered and correspond to the brief description below.
• the Data Provider submits a copy of all data files and data feeds delivered to third parties to the file storage system 12.
• the system detects a new file in the system and triggers the file handler process.
• the guilt assignment process 16 generates a guilt score for the wild file 13.
• Figure 2 shows the general system design for the reduction mechanics involved in processing a wild file 13 to determine which TTP 6 originally received the file from the Data Owner.
• the wild file 13 input to the system has age related information, as well as date of birth (DOB) as an anchor.
• Age-related information includes age in two-year increments, new 18 year olds added on a monthly basis, and records for those older than 60 possibly being suppressed.
• Accurate, consistent, and persistent DOB is provided through a service provider's recognition process, such as the AbiliTec service from Acxiom Corporation, where personally identifiable information (Pl l) (e.g., name and address) from the wild file 13 is matched against the service provider's data.
• Pl l personally identifiable information
• the wild file 13 could be derived from any of the files that have gone out to the Data Owner's customers over the entire period of the Data Owner's records retention, which in this example is ten years.
• the date reduction process described in this implementation of the invention allows the wild file 13 to be dated to the month and year it was created.
• each monthly file release in this example assumed to be approximately 1 TB in size, the total for all monthly releases for the last ten years of retained files would be approximately 120 TB.
• Narrowing the search space to one year out of ten reduces the search space by 90%, but reducing it to one month out of ten years of monthly data eliminates over 99% of the search space.
• the file could originate from any customer receiving files for the particular month/year. This processing is shown at step 7 of Figure 2.
• the fields and individuals associated with a customer order provide a unique fingerprint that acts as an additional reduction mechanism, since each fingerprint is unique and tied to each TTP.
• the horizontal salting procedure described in the applicant's co-pending international patent application no. PCT/US2016/068418 which is incorporated herein by reference, permits a file to be associated with a specific Data Owner client and a TTP with whom the Data Owner has shared their data.
• the result is a further reduced set of files at step 30 in this Figure.
• the wild file 13 can be ascribed to a file received by a specific customer in a specific month/year.
• the final reduction mechanic occurs through statistical comparisons of the properties of variables in the wild file 13 with those from the Data Provider file that went to the specific customer, which occurs at step 32. While it is possible for a Bad Actor to change variable names and how values are labeled, it is much more difficult to alter the statistical properties of the variables per se.
• Two files from the same month based on the same individuals, and with the same variables, should be statistically the same. Statistically similar means the probability density functions of continuous variables and the probability mass functions of categorical variables should be the same. Likewise, bivariate and multivariate relationships among the variables in the files should be essentially the same.
• a guilt score may thus be created (in a range, for example, of 0 to 1 ) that provides a numeric measure of the strength of association between the wild file 13 with the identified Data Provider file.
• the guilt score may correspond to the percentage of rows in wild file 13 that are found in the Data Provider file.
• Other considerations in generating the guilt score may be, for example, the percentage of the variables in wild file 13 that are in the source file; the percentage of the variables in wild file 13 that are also in the source file and have the same metadata characteristics; whether the variable names and levels are exactly the same or have been recoded; and, even in the absence of identical variable names and labels, whether the probabilistic characteristics of variables are statistically the same or similar.
• the Data Provider wants to minimize the number of potential core data files it must compare the wild file 13 against to determine if any of the data in the wild file originates from D.
• the wild file Wi 13 contains a field that indicates age of head of household in two-year increments, and it looks suspiciously like the age in two-year increment field in D.
• the Data provider uses match keys on a random sample subset of W, 13 to match against the Data Provider's current file, and incorporate the two age fields into a single table 24, as shown in Figure 4.
• the Data Provider applies a recognition process to table 24 (e.g. , Acxiom Corporation's AbiliTec service) and acquires these individuals' DOBs, the best information about their current age based on original legal documents such as birth certificates, passports, government issued identification, and so on.
• table 24 e.g. , Acxiom Corporation's AbiliTec service
• DOB current true age
• the system can predict the most likely date, specifically year and month, of the Data Provider's source file from which the data in the W, may have been obtained. This can be done in a one-step process (not shown) or in a two-step process, as shown in Figures 5 and 6.
• Figure 5 shows an example of ranging for the year
• Figure 6 shows an example of ranging for month-year, and how the wild file date can be established as August of 2009 in a particular example.
• One of the individuals shown, Steven Box had a birthday in September, and his age changed. But the ages for Jack Joseph and Mark Miserd, with birthdays in November and December, respectively, did not change. Stevens's age shows as 46-47, Jack's as 30-31 , and Mark's as 44-45, and given their birth months, it may be deduced that the file date must be August of 2009.
• Age information is often acquired by third-party data providers, and even first parties, from sources such as web forms, where people do not put their true age. The result is that ages in a wild file W, could be highly inaccurate, lacking a DOB anchor to validate against.
• the Data Provider does not know if any included age data is from D, hence there is no guarantee that the data in the file is accurate on an individualized basis. In this case, they use the same mechanic against a DOB anchor, but only keep age matches on recognized individuals. This means they have matched the records and put them through some type of recognition process, where the ages between the two files are the same (for one-year increments) or, in the case of two-year ranges, where the age ranges are the same. The rest of the data is considered “tainted" and is discarded.
• This use case is important when the service is provided by the Data Owner to third parties. It allows the provider to date the source file for wild files (Wi's) 1 3 suspected of containing those third parties' data.
• Change fingerprinting has a second mechanic, layered on top of the one described previously, which helps triangulate the month and year of the correct S j,t .
• This mechanic takes advantage of the fact that records are added to or deleted from S j as it is created and then refreshed at times t, t+1 , t+2... .t+n.
• people are typically added when they turn 18, and removed once they are 61 or are deceased.
• those additions and deletions as a specific type of salted record (“natural salted records”) that allows the Data Owner to more accurately determine the month and year of a specific file.
• Figure 7 serves to illustrate the use of naturally salted records.
• the wild file 1 3 is a representative statistical sample of the Data Providers file, simply sorting the wild file 13 by DOB from oldest to most recent provides the date (month and year) of file creation. The most recent DOB dates will be for the most recently added 18 year olds. If the wild file 13 is from the current month, say November of 2016, the most recent DOB on the file will be November of 1 998, exactly 1 8 years ago. If the most recent DOBs on the file are from March of 1 998, the wild file 13 was created in March 2016. If the wild file 13 was created in July of 2010, the latest DOB on the file would be July 1992. This mechanism can be used for quickly determining file creation date, and serves as an alternative validation to the main proposed DOB mechanism.
• the change fingerprinting process can also be extended, in an alternative embodiment of the invention, to any change in a database field occurring between two dates, as long as an audit trail of original files is maintained. For example, if Lisa DeBeers was shown as unmarried in July 2010 but married in September 2010, and if she was shown as married in the Wi 13 (she was a child bride), it would serve as another signal that the original S j, t could not have predated September 2010. As such, the accuracy of the prediction by ranging on the earlier timeframe of the S j,t (whereas the loss of Rosa Vasquez ranges on the later timeframe) is reaffirmed.
• types of data files that might contain this data include:
• the lack of a dependable age anchor is usually not an issue for data tables containing information about "hard goods” like dishwashers, plumbing pipes, watches, stereos, and televisions, among many others, where a product date, warranty date, batch id, and batch ship dates are inherent in a file, or ages of the product vary less than in typical consumer data. Take for example data on used cars on a website dealer such as autotrader.com.
• the model year of the car is known from the 10 th digit of the Vehicle Identification Number, so if a data file containing car ages was stolen and Edmunds wanted to know if the data came from their databases and if so when (the month and year), it would be unlikely that the underlying age data is inaccurate or that a Bad Actor could manipulate that specific feature without the tampering being evident.

Applications Claiming Priority (2)

Publications (2)

Family

ID=59563359

Family Applications (1)

Country Status (5)

Family Cites Families (26)

• 2017
  • 2017-02-08 WO PCT/US2017/017007 patent/WO2017139372A1/en active Application Filing
  • 2017-02-08 CA CA3014072A patent/CA3014072A1/en not_active Abandoned
  • 2017-02-08 US US16/076,158 patent/US11409899B2/en active Active
  • 2017-02-08 EP EP17750692.0A patent/EP3414885A4/de not_active Withdrawn
  • 2017-02-08 CN CN201780021979.2A patent/CN109416717A/zh active Pending

Also Published As

Similar Documents

Legal Events